US Muni Market lowly Starts Paying Heed to Cyber Risks
Thomson Reuters, Business Insurance, June 2017
A rise in cyber attacks on U.S. public sector targets so far has had little impact in the $3.8 trillion municipal debt market, with no issuer as yet hit by a downgrade or higher borrowing costs because of a cyber security threat.
That is beginning to change.
S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody’s Investors Service is also trying to figure out how to best evaluate cyber risk.
The shift follows a particularly steep rise in ransomware attacks, when criminals hold an entity’s computer system hostage until a small ransom is paid.
The number of global ransomware detections rose 36 percent in 2016 from the year before, to 463,841, with the United States most heavily affected, according to cyber security firm Symantec Corp.
Such attacks, which have also hit companies and federal entities, have spared no kind of municipal issuer large or small, from police departments to school districts and transit agencies. Ransomware attacks on state and local governments and their agencies have risen in proportion with the overall increase, according to cyber insurance provider Beazley Group.
“State and local governments are a huge target, quite frankly an easy target for bad guys,” said Bob Anderson, managing director for information security at Navigant management consulting firm in Washington and a former global cyber investigator at the Federal Bureau of Investigation.
Last month’s “WannaCry” ransomware attack, which hobbled global businesses and Britain’s National Health Service, may also be prompting renewed focus on cyber security, though it had minimal impact in the United States.
Considering a potential cyber attack as a similar risk to a natural disaster, S&P has already been reviewing cyber security defenses of utilities, hospitals and colleges because they were early public sector targets for hackers.
Now it is also beginning to ask cities and states about the costs and level of security measures and the financial impact of successful attacks, said Geoffrey Buswick, who manages S&P’s public sector ratings.
Head in the Sand
The answers feed into broader categories that affect an issuer’s ratings, particularly governance, liquidity and operations.
Many breaches are handled quickly and financial damage is limited, but not every attack will necessarily end that way, Mr. Buswick said. “We’re trying to get sense of who has their head in the sand and who doesn’t.”
Fitch Ratings said it does not consider cyber security in its ratings, and many investors still are not concerned enough to ask for details.
In part, that is because it can be difficult to assess the operational and financial fallout of such attacks. Some high-profile breaches so far have also done limited damage to issuers’ finances.
Case in point is the state of South Carolina, which in August 2012 suffered possibly the worst cyber attack yet of any city or state.
When hackers stole the personal data of more than 3.5 million taxpayers, the state had to investigate, provide credit monitoring and consumer fraud protection, and implement a slew of post-breach upgrades, according to State Senator Thomas Alexander.
The total cost is around $76 million and counting, he said. That is enough to pay for several school programs combined. But against South Carolina’s annual general fund budget of roughly $8 billion, the costs made no dent in its standing as a borrower.
Many issuers do not disclose any information to potential investors in bond documents about cyber risks or defenses. But a few, particularly hospitals and utilities, have started doing so.
In a February prospectus, the Maryland Health and Higher Educational Facilities Authority, the state’s largest public debt issuer, included nearly a full page devoted to the growing risk of cyber attacks. “Because we’re such a large issuer, and because healthcare is often treated much more like a corporate credit, the legal counsels to the transaction weigh in on the bondholder risk section,” said Annette Anselmi, the authority’s executive director, noting that such disclosures also evolve depending on what kinds of questions the market is asking.
Hospitals are also ahead on cyber security disclosure because they rely on huge amounts of data, said Court Street Group analyst Joseph Krist. Eventually, he expects others to follow suit.
“We went through this with getting munis to … disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.”
Business Insurance
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008